Change #274409
| Category | wget |
| Changed by | Acts1631 <acts1631kjv@proton.me> |
| Changed at | Thu 09 Jul 2026 19:47:42 |
| Repository | https://gitlab.com/gnuwget/wget.git |
| Project | wget |
| Branch | master |
| Revision | 4f85853f641863d5915786a8413e1a213726a62b |
Comments
ftp: validate PASV/LPSV response address against control connection peer * src/ftp-basic.c (ftp_pasv): Reject if peer address doesn't match advertised address, (ftp_lpsv): Likewise. ftp_pasv() and ftp_lpsv() copied the IP address and port advertised in the server's 227 response without checking that it matched the peer of the control connection. A malicious or compromised FTP server could therefore direct wget's data connection to an arbitrary host and port of its choosing (e.g. an internal service unreachable from the attacker directly), which is a server-side request forgery. ftp_epsv() was already safe since it only extracts a port and reuses the pre-filled control-connection address. Fix ftp_pasv() and ftp_lpsv() the same way: capture the control connection's peer address via socket_ip_address() before parsing the response, and reject the response (FTPINVPASV) if the parsed address does not match. Verified with a fake FTP server that returns a PASV response pointing at a different loopback address (127.0.0.2 instead of the real peer 127.0.0.1): before the fix wget connects to the spoofed address, after the fix it rejects the response with "Cannot parse PASV response." Legitimate transfers using a correctly-addressed PASV response continue to work. Copyright-paperwork-exempt: Yes
Changed files
- src/ftp-basic.c